SSL – PrivaSecTech Wed, 13 Nov 2019 18:33:32 +0000 en-US hourly 1 Secure websites Thu, 29 Aug 2013 20:15:43 +0000 Continue reading Secure websites]]> I’m often asked about secure websites. For example, should you trust the connection with your computer and your bank’s website? The article is going to get a little technical, but hopefully will give you the tools to know which websites are secure, and which aren’t, from now on.

There has been a secure encryption using protocol around for a long time called secure sockets layer (SSL), which has been modified and labelled Transport Layer Security (TLS) which can be used in most client/server relationships. By adding the HTTP protocol over TLS, this makes the web based session encrypted. The S in HTTPS stands for secure.

This is the difference between HTTP and HTTPS, which should be easy to see in the URL bar at the top of most browsers. Does the URL start with http:// or https://? If it doesn’t start with either, it’s likely not encrypted, meaning many people can see everything you do on that website!

So we know that if we don’t want people digitally eavesdropping or doing what is called a the man-in-the-middle (MITM) attack, we need to make sure the website we’re going to is using https:// at the beginning. Several modern browsers will also add a padlock icon or a different colour if you’re using an HTTPS connection successfully. If the padlock is broken, the connection shouldn’t be trusted as there is likely an issue with the server’s TLS certificate.

Are you with me so far? You should not put any personal information into any website that does not use HTTPS properly, and you should remember that everything you do on a plain HTTP website can be monitored, logged, and used against you forever.

The Electronic Frontier Foundation (EFF) partnered with the Tor project to release HTTPS Everywhere which is a plugin that works with both Chrome and Firefox that automatically tries to redirect your browser to the secure version of any website you visit.

The next article in this series is going to explain how simply using HTTPS is no longer good enough on its own, but is the first step in understanding how we need to start ensuring our HTTPS sessions are using Perfect Forward Secrecy.




]]> 0
If you use SSL, cURL up and VERIFYPEERS Thu, 14 Mar 2013 22:01:50 +0000 Continue reading If you use SSL, cURL up and VERIFYPEERS]]> Reader level: Techy/Sysadmin

My friend KevinSMcArthur announced over a year ago at an Ideas Meeting that he had found an interesting information security flaw which he described as fairly large and at the class level. I enquired further and pressed for more details, but he insisted on following a ‘responsible disclosure’ process (which you can read about on his blog). This included contacting the CBA (Canadian Bankers Association) the Privacy Commissioner of Canada and the Canadian Cyber Incident Response Centre (a division of Public Safety Canada).

Six months later, his finding was released as an information note called “Implementing PHP cURL Verifypeer Option in Applications Requiring SSL Certificate Verification“. Most official publications such as this are either so vague you don’t even understand the issue, or they’re so technical the media who would write on such dangers are left scratching their heads. This one seems to fit the latter, as I’ve seen no mainstream attention to this issue that affects the security on the internet as we know it today.

The technical details:

If you’re using a popular dynamic programming language called php to code the SSL (secure connections to your website), there’s an option called VERIFYPEER. If developers set the option CURLOPT_SSL_VERIFYPEER option to “0” or “false” that removes the entire trust validation process that SSL offers, essentially the security of the internet as we know it. If it is set to false, true, 0 or 1 rather than the integer value 2, it will also trigger peerjacking.

The impact:

It turns out, some major organizations had this enabled. This means we don’t know if the bad guys were using this then, or have started now. While this option isn’t a standard vulnerability, it’s more a case of a lazy developer trying to turn off more errors, and hence, more work for themselves.

So who is affected? A lot of the organizations you rely on, organizations that afford more lawyers than I can. A google search should reveal many (or github search) to anyone willing to do a little investigating. We’re talking credit card companies, online payment companies, and some organizations that use oauth to name a few.

Even though it’s more than six months after it has been announced, there are still organizations that are vulnerable, so check yours today.




Google now offering secure search Sat, 22 Oct 2011 01:28:48 +0000 Continue reading Google now offering secure search]]> It’s not often we’ve given Google credit for privacy or security steps, but this week is one of them. Following the steps by Facebook and Twitter we announced back in May, five months later, Google has just announced they are now offering SSL searches! Mind you this is a more significant step than that of Facebook or Twitter, as those involved in SEO/optimization will quickly realize that search keyword data is no longer provided to you as the web manager (They’ll provide you the top 1000 through their webmaster tools). And while optimization folks won’t be pleased, on behalf of the privacy and security community, I would like to give credit where credit is due, thanks Google!

Tech tip: Both and work now, update all of your Google bookmarks, so others between you and Google can’t quietly see what you’re searching anymore!

Ich Sun is back, claiming the #MostSophisticatedHackOfAllTime Tue, 06 Sep 2011 19:47:47 +0000 Continue reading Ich Sun is back, claiming the #MostSophisticatedHackOfAllTime]]> You may have read my comodogate article back in March where I reported that the comodogate hacker, going by the name Ich Sun told me “…there is a lot of vulnerable CAs, I got some other stuff”. Well, in the last 24 hours he claims to have been responsible for the DigiNotar compromise and a few minutes ago provided another update; in these updates he reveals that as a 21 year old Iranian, he has compromised another 4 certificate authorities (CAs) as well as reverse engineered windows update (update your windows here). What do these hacks do? He can impersonate any secure website he wishes, which includes impersonating google and gmail which has already been seen in the wild using these certificates. The certificate authority model that secures the internet as we know it today will change as a result of this, so it has some serious impact.

What can you do?

If you’re on twitter, I’ve found the most interesting discussion on the topic between Kevin S McArthur, Moxie Marlinspike and Marsh Ray, although it’s fairly technical in nature due to the complexity of this attack. Otherwise, stay tuned here for updates, or ask us your questions.
Upgrade your browser before you check your gmail Tue, 30 Aug 2011 20:26:48 +0000 Continue reading Upgrade your browser before you check your gmail]]> There is a wildcard * SSL certificate in the wild, which means malicious people can sit between you and anything at Google (including gmail) and pretend they are Google, watching everything you do. DigiNotar is the root level certificate authority (CA) who gave out this certificate. It’s not clear if this was intentional or not, but regardless, this is the internet version of a death sentence for this company. Mozilla and Microsoft have both pulled DigiNotar out of their browsers. A user in Iran has reported it being used on him; it’s not clear if the attack was from his ISP or his government, but you could also be a victim. Make you you have an upgraded version of your browser before you visit any of Google’s services. You can read the Darknet article for more details.

You should be able to tell your safe if you go to DigiNotar’s website and get a certificate error.

Using a secure connection where possible Thu, 12 May 2011 21:17:48 +0000 Continue reading Using a secure connection where possible]]> I received a lot of feedback after my post yesterday about creating a permanent SSL (https://) connection to Facebook. It’s most important to use SSL anywhere you don’t want people to see what you’re doing/looking at. For example, anything with a form that asks for personal information, or when you login to a site using your password, or where you enter your credit card or banking information. At a minimum, all of these things should be https://. Anything not using https:// (SSL) can be sniffed (it’s plain text so people can watch/read/log what you’re doing).
If you can’t find it on your favourite website, contact them and ask them to to make SSL always on. Here is an example of how to do this on Twitter, for example:

twitter - https

What other websites can you find this setting on? Also, make sure your bookmarks are for the https:// version of the website, and not the http:// version.


Tech Tip: Secure connection to Facebook Wed, 11 May 2011 22:59:10 +0000 Continue reading Tech Tip: Secure connection to Facebook]]>  

This tip is to create a permanent secure connection to Facebook. You can tell you’re using SSL if the URL starts with https:// instead of http://. When you’re logged into Facebook, go to

Account – Account Settings – Account Security, and then click on the “Change” link.

There you will see a check box followed with “Browse Facebook on a secure connection (https) whenever possible”. Make sure this checkbox is checked, and then click on “save”. Now log out and back into Facebook, and you should never see http:// at the top for Facebook again.

Facebook - Always https

Why is there so much fear about …? Thu, 18 Nov 2010 23:58:51 +0000 Continue reading Why is there so much fear about …?]]> This is my first Q&A post. If you have a question about anything Privacy, Security or Technology related, contact us on our website or ask as on twitter

Today’s question comes from Jordan_Keats on  twitter “Why is there so much fear about Paypal transactions? Why hasn’t it been accepted as a evolution of $?”

Hi Jordan,

I get asked this question fairly often. Also related, “How do I know my inline banking is safe?” and “Would you shop online?”, and I think the answer goes back a lot further than the switch to digital currency. People are resistant to change.

Take a look at the fraud departments of Paypal, and Credit Card companies. They’re are now a well oiled machine when it comes to fraud.

The only thing to remember when doing anything concerning your personal information, including financial transactions, is to make sure in the URL bar at the top of your browser there is always an https:// at the beginning as opposed to an http://, this means the connection between you and the website in question is secure.

You are a lot more likely to have your information compromised on your own computer, or at the other end, than during the transaction. And even if this happens, so what?

I use paypal, shop online, and do all my banking online. Give it a try, you won’t go back.